You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
August 6, 2025

Thailand Releases Draft Guidelines on Government Cloud Adoption and Data Classification

Subscribe to Updates

Thailand’s Digital Government Development Agency (DGA) has released drafts of two pivotal documents to guide Thai government agencies in adopting cloud technology and classifying data for cloud usage. These draft guidelines, open for public hearing through August 12, 2025, are part of the national “Go Cloud First” policy, which aims to accelerate digital transformation, improve efficiency, and ensure robust data security across the public sector. The new standards will have significant implications for both government agencies and cloud service providers operating in Thailand.

Highlights of the draft guidelines are presented below.

Government Cloud Usage Guidelines

  • Cloud-first transformation: All government agencies are directed to prioritize cloud solutions for new IT projects, in line with the cabinet’s “Go Cloud First” policy.
  • Cloud model selection: Agencies must assess their needs and select the most appropriate cloud deployment model—public, private, hybrid, or community cloud—based on the sensitivity of the data and operational requirements.
  • Service types: The guidelines provide criteria for choosing between Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), emphasizing the importance of using standard, non-customized services where possible.
  • Cost management: Agencies are required to plan and separate cloud-related expenses, ensuring transparency and efficient budget allocation.
  • Cloud migration: The guidelines outline the steps for migrating to the cloud and highlight the role of cloud service providers in facilitating the process, including supporting innovation and enabling smooth exit strategies.
  • Procurement compliance: All cloud procurement must comply with public sector procurement laws and regulations. Only providers meeting government-mandated standards can be selected.
  • Security and shared responsibility: The guidelines clarify the division of security responsibilities between cloud providers and government agencies. While providers manage infrastructure security, agencies remain responsible for data, application, and access controls.
  • Legal framework: Agencies must comply with the Digital Government Administration Act, Cybersecurity Act, Personal Data Protection Act (PDPA), and other relevant laws.

Cloud Data Classification Guidelines

  • Three-tier data classification: Government data is classified into three categories:
    1. Official data: Low-sensitivity data, suitable for public cloud storage.
    2. Protected data: Data that could cause harm if disclosed (e.g., tax, medical, or financial records), recommended to be stored in domestic public clouds with enhanced security.
    3. Highly protected data: Critical or top-secret data (e.g., national security information), must be stored in sovereign or state-controlled clouds within Thailand, with the highest security measures.
  • Data sovereignty and localization: The guidelines stress that all government data is recommended to be stored within Thailand to ensure compliance with local laws and maintain data sovereignty. Exceptions require DGA approval, except for highly protected data. The guidelines also distinguish between data at rest and data in transit or processing. While the focus of localization is on data at rest, data in transit (e.g., during transmission) or temporary processing outside Thailand could be permitted under certain technical and legal safeguards, provided no unauthorized access occurs. A localization exemption could be granted with special approval from the DGA.
  • Cross-border data transfers: Storing data outside Thailand is generally prohibited for sensitive information, with limited exceptions subject to DGA approval. The guidelines define “data that should be in Thailand” as data at rest (i.e., data stored on servers), and this does not include data in transit (data being transferred) or data being processed.
  • Risk assessment: Agencies must conduct risk assessments based on confidentiality, integrity, and availability to determine the appropriate level of security and cloud deployment.
  • Security controls: The guidelines mandate strict access controls, encryption, and compliance with international standards (e.g., ISO 27001) for sensitive data.
  • Legal compliance: The framework aligns with the Official Information Act, PDPA, Cybersecurity Act, and other national security regulations.

Implications and Action Steps for Government Agencies and Cloud Providers

Under the new guidelines, cloud adoption will be highly encouraged for government agencies. Any deviation from the cloud-first approach will need to be justified, with the decision-making process documented.

Government agencies who have implemented or are seeking to implement cloud technology will need to review and update their internal policies to align with the new guidelines, implement robust data classification and risk assessment processes for all digital services before migrating data to the cloud, and plan cloud migrations accordingly.

To be eligible for government contracts, cloud service providers will need to meet stringent security, localization, and compliance standards, and prepare for increased scrutiny regarding data residency, security certifications, and service transparency.

Outlook

These new guidelines represent a significant step forward in Thailand’s digital government strategy. All stakeholders should familiarize themselves with the requirements to ensure compliance, minimize risk, and support the secure and efficient adoption of cloud technology in the public sector.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

August 27, 2025
Vietnam officially enacted Law No. 91/2025/QH15 on Personal Data Protection (“PDPL”) on June 26, 2025, marking a major milestone in the country’s legal landscape. While the PDPL retains many provisions from its predecessor, Decree No. 13/2023/ND-CP on Personal Data Protection (“PDPD”), it adds new concepts, exemptions, and compliance obligations. Notably, it sets out a framework regulation for penalties for violations, including monetary fines of up to 5% of the corporate violator’s annual revenue in the previous year for cross-border data transfer breaches. With an effective date of January 1, 2026, the PDPL will apply to (i) Vietnamese agencies, organizations, and individuals; (ii) foreign agencies, organizations, and individuals in Vietnam; and (iii) foreign agencies, organizations, and individuals directly involved in or related to the processing of personal data of Vietnamese citizens and persons of Vietnamese origin without a determined nationality, currently residing in Vietnam, who have been granted a personal identification certificate. Although the PDPL does not explicitly define its relationship with the currently effective PDPD, the government is drafting a new decree to guide the PDPL’s implementation, the first draft of which is expected to be completed by September 2025, with an effective date aligned with that of the PDPL. Once both the PDPL and its implementing decree come into force, the PDPD will presumably cease to have legal effect. Some key takeaways from the PDPL are presented below. 1. Definitions of “Personal Data,” “Basic Personal Data,” and “Sensitive Personal Data” The PDPL introduces broad definitions for “personal data,” “basic personal data,” and “sensitive personal data.” It expands the scope of personal data to include both digital and non-digital formats, such as paper-based records. Notably, de-identified personal data is explicitly excluded from the definition of personal data. The PDPL further delegates authority to the government to issue exhaustive lists
Read More
August 25, 2025
Artificial intelligence (AI), semiconductors, and digital assets are considered critical drivers of Vietnam’s future economic growth and are fundamental to the nation’s digital transformation targets. These sectors form the core of Vietnam’s strategy to build a robust, globally competitive digital economy. This strategic direction gained substantial momentum with the issuance of the Law on Digital Technology Industry (DTI Law) on June 14, 2025. The DTI Law was designed to attract investment, stimulate innovation, cultivate high-quality human resources, and ensure the responsible, secure, and sustainable growth of digital technologies like AI and digital assets, harmonizing Vietnam’s digital industry with international standards while safeguarding public interests and national security. Several key provisions of the DTI Law took effect on July 1, 2025, and the law will become fully effective on January 1, 2026. The government is delegated to provide further necessary guidelines and details for implementation of the law. Artificial Intelligence (AI): Principle-Driven and Risk-Based Regulations Under the DTI Law, there are seven core principles guiding the development, provision, and use of AI which are applicable to AI developers, providers and deployers. These principles favor values-based governance over purely technical prescriptions, and include the following: Taking a human-centered approach that upholds ethical values, inclusivity, flexibility, equality, and non-discrimination. Ensuring transparency, accountability, and explainability, with AI systems remaining under human control. Maintaining cybersecurity and system safety. Adherence to data protection and privacy regulations. Having the ability to control AI algorithms and models. Effective risk management throughout the entire lifecycle of AI systems. Compliance with consumer protection laws and other relevant legal frameworks. AI system management follows a risk-based approach, with the law categorizing systems into high-risk, high-impact, and other groups. High-risk AI systems are those that, in certain applications, may pose significant threats or harm to individuals or the public interest while
Read More
August 21, 2025
On August 19, 2025, the Trade Competition Commission of Thailand (TCCT) released its draft Guidelines on the Consideration of Unfair Trade Practices and Conduct Constituting Monopoly, Reducing Competition, or Restricting Competition in Multi-Sided Platform Businesses in the Category of Digital Platforms for the Sale of Goods or Services (E-commerce). A public comment period on the guidelines is open until September 18. The draft provides the first detailed framework for how the TCCT will interpret and enforce the substantive provisions under the Trade Competition Act against digital platforms, which have a unique network effect and require complex competition analysis. This development will profoundly impact the operations of e-commerce platforms, sellers, and associated service providers in Thailand. The guidelines primarily target e-commerce digital platform business operators, which are defined as follows: E-commerce digital platform: A medium facilitating the sale, purchase, or exchange of goods or services, including any operations to create transactions or interactions between business operators via an electronic transaction system, regardless of whether service fees are charged. E-commerce digital platform business operator: A service provider of a digital platform for the sale of goods or services who acts as an intermediary facilitating the sale of goods or services, including any operations to create transactions or interactions through an electronic transaction system by receiving orders for goods or services transacted via an electronic system, whether in the form of an e-marketplace, a social marketplace, or any other form that connects purchase orders for goods or services with business operators through an electronic system. Prohibited Conduct The guidelines classify potentially anticompetitive conduct and unfair trade practices into two categories: price-related and non-price-related conduct. 1. Price-related conduct The TCCT is targeting pricing strategies that can harm competition. Key prohibited behaviors include: Price below cost: Setting prices below the average total cost without
Read More
August 21, 2025
On August 18, 2025, Thailand’s Securities and Exchange Commission (SEC), in collaboration with the Ministry of Finance, the Anti-Money Laundering Office, and the Ministry of Tourism and Sports, announced the launch of TouristDigiPay. The initiative, implemented under the SEC’s Regulatory Sandbox, allows foreign tourists to convert digital assets into Thai baht for use in everyday transactions in Thailand. Foreign tourists who opt to participate in TouristDigiPay must open two accounts once they are in Thailand: An account with a licensed digital asset operator to sell or exchange digital assets for Thai baht; and A tourist wallet account with a licensed e-money operator regulated by the Bank of Thailand. Funds from digital asset sales will be transferred into the tourist wallet, enabling tourists to make payments at participating merchants that accept e-money. Key Regulatory Requirements The TouristDigiPay project will operate for a period of up to 18 months, with the following conditions: Only licensed digital asset brokers, dealers, and exchanges integrated with licensed e-money operators are eligible to participate. Operators must implement anti-money laundering (AML) protocols that are proportionate to the assessed risk level. These include: Conducting know-your-customer and customer-due-diligence (KYC/CDD) checks on all users. For monthly transactions exceeding THB 50,000 per person, verifying the source of the digital assets and assessing AML risk using internationally recognized blockchain forensic tools or equivalent procedures. Suspending or rejecting services if digital assets are transferred from wallets flagged for AML concerns. Ensuring that conversion between digital assets and fiat includes safeguards such as matching account names and returning digital assets only to the original wallet. The following transaction limits apply to participants in the TouristDigiPay initiative: Payments to small vendors are capped at THB 50,000 per month. Payments to vendors who have completed the know-your-merchant (KYM) process are capped at THB 500,000 per
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice